[Bug 1904615] Re: cpio symlink traversal
Steve Beattie
1904615 at bugs.launchpad.net
Tue Feb 9 23:33:54 UTC 2021
Hello Yiğit,
Sorry for the delay in responding to this issue. This issue was
originally identified as CVE-2015-1197 and fixed around the same time
frame. It was addressed in upstream cpio commit
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca
in a differently taken approach when vendors fixed the issue in 2015.
This differening behavior change resulted in the debian maintainer
undoing the symlink mangling portion of the fix via
https://salsa.debian.org/lamby/pkg-
cpio/-/commit/1d1163018b2ca240a6a1c9404f7e05c3bfa62f94 and this is what
has landed in focal and newer.
Relevant debian bug reports:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946267
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469
upstream thread about the issue:
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00013.html
Alas, at this time, it does not appear to have been addressed upstream.
Thanks for the report.
** Bug watch added: Debian Bug tracker #946267
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946267
** Bug watch added: Debian Bug tracker #946469
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946469
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1197
** Package changed: ubuntu => cpio (Ubuntu)
** Changed in: cpio (Ubuntu)
Status: New => Confirmed
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cpio in Ubuntu.
https://bugs.launchpad.net/bugs/1904615
Title:
cpio symlink traversal
Status in cpio package in Ubuntu:
Confirmed
Bug description:
Summary:
A malicious file may be able to overwrite arbitrary files
Steps to reproduce:
1- Download "dirsymlink.cpio"
2- Extract it with "cpio -i < dirsymlink.cpio" command
Proof of concept:
dirsymlink.mp4
Version:
Ubuntu 20.10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cpio/+bug/1904615/+subscriptions
More information about the foundations-bugs
mailing list